Apache OpenOffice update closes buffer overflow vulnerabilities
In addition to adding new translations, the latest 3.4.1 release of Apache OpenOffice from last week also closes important security holes (CVE-2012-2665) in the open source office suite. According to the project, the update addressed multiple heap-based buffer overflow vulnerabilities in the XML manifest encryption tag parsing code used by the software which could have been exploited by a remote attacker to cause a denial-of-service (DoS) or execute arbitrary code on a victim's system.
For an attack to be successful, a victim must first open a specially crafted Open Document Format (ODF) file. The problem has been confirmed in Apache OpenOffice 3.4.0, but its developers note that earlier versions of OpenOffice.org may also be affected. The same vulnerability has also been fixed in the LibreOffice productivity suite with the release of versions 3.5.5 and 3.6.0. All users are advised to upgrade.
- Manifest-processing errors in Apache OpenOffice 3.4.0, security advisory from Apache.